Find notable cyber news and cases, enriched with sources, timelines, and signals.

Malicious NuGet package activity targeting ASP.NET Identity

Malware Activity
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

Four malicious NuGet packages were uncovered that exfiltrate ASP.NET Identity data and create persistent backdoors, putting deployed ASP.NET applications at risk. The packages were published between August 12 and 21, 2024 and later removed after responsible disclosure. One package, NCryptYo, staged a localhost:7152 proxy to relay traffic to attacker-controlled infrastructure. The companion packages, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_, added theft, file-writing, and hidden execution capabilities.

Related Happenings

Postcss-minify-selector-parser Windows RAT delivery chain

Malware Activity
H score29 First: 23.06.2026 18:00 Last: 23.06.2026 18:00 Sources 1

About this happening: The **postcss-minify-selector-parser** npm package delivered a **multi-stage Windows RAT**, creating a supply-chain path onto **developer machines** and exposing **browser logins*...

Mastra @mastra/* npm packages hit by network compromise

Incident
H score47 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...

Latest development: 20.06.2026 17:09

Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.

Inactive maintainer account 'atiertant' hit by network compromise

Incident
H score13 First: 15.05.2026 20:10 Last: 15.05.2026 20:10 Sources 1

About this happening: The **inactive maintainer account 'atiertant'** for **node-ipc** was **compromised**, enabling malicious package releases that could steal credentials from downstream installation...

Node-ipc malicious versions with stealer/backdoor payload

Malware Activity
H score34 First: 14.05.2026 20:22 Last: 14.05.2026 20:22 Sources 1

About this happening: Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...

Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials

Campaign
H score56 First: 12.05.2026 14:29 Last: 12.05.2026 14:29 Sources 1

About this happening: The **Shai-Hulud** **supply-chain campaign** now includes a fresh **PyPI** wave that compromised **19 packages** across **37 malicious releases**, with popular bioinformatics tool...

Timeline

  1. 25.02.2026 14:43 2 articles · 4mo ago

    Malicious NuGet packages target ASP.NET Identity

    Initial Disclosure

    Four NuGet packages—NCryptYo, DOMOAuth2_, IRAOAuth2.0, and SimpleWriter_—were published between August 12 and 21, 2024 by hamzazaheer and later removed after responsible disclosure. The packages targeted ASP.NET web application developers by exfiltrating ASP.NET Identity data, including user accounts, role assignments, and permission mappings, while manipulating authorization rules to create persistent backdoors in victim applications; NCryptYo masqueraded as NCrypto and staged a localhost:7152 proxy to relay traffic to attacker-controlled C2, DOMOAuth2_ and IRAOAuth2.0 forwarded Identity data through that proxy, and SimpleWriter_ added unconditional file writing and hidden process execution.

    Show sources